Thomas Chopitea

Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.


Session

10-23
16:45
30min
DFIQ - Codifying digital forensic intelligence
Thomas Chopitea

CTI practitioners have threat intelligence databases; what about digital forensics practitioners? How can they organize knowledge and ensure that investigations are carried out in a repeatable manner? In the same way that threat intelligence describes attackers, capabilities, and infrastructure, Digital Forensics Intelligence describes the relationship between systems, questions, and investigation techniques.

Enter DFIQ (Digital Forensics Investigative Questions; https://dfiq.org/): a framework used to model scenarios, questions and approaches in digital forensics investigations. This talk will take a deeper dive into the DFIQ model, and more importantly the different ways it is practically used to facilitate forensic investigators' day-to-day activities, ensure repeatable conclusions of investigations, and knowledge sharing among analysts. We'll discuss how DFIQ is stored in Yeti, used in Timesketch, and can be used to leverage end-to-end collection and analysis workflows to accelerate and structure investigations in large enterprise environments.

topic: CTI
Europe - Main Room